Just an interesting note.

Impossible. Someone always answers questions. Sometimes, the answers are even correct.

of which the m/n

Ok, you're off the hook for forgetting to supply the muddle number. Just don't make a habit of it.

You mean there are unreal routers out there? Try tapping the router with a magic wand. If it disappears in a puff of smog, it's not a real router but an illusion. Incidentally, I think your "real" router is going to require 3 ethernet interfaces.

to a different switch

minimum, only the IP info

Ummm.... is this in addition to the unspecified model Linksys real router, or is this a replacement for the unspecified model Linksys real route?

the 'off-subnet' routed

Sure. No problem at all. However, it won't work with your creative IP address layout. You cannot have the ISP's router at 192.168.1.1 and also NAT one of the output ports in the same subnet. Also, if it's coming from the ISP's modem, the common input port will probably have a routable IP address delivered by the ISP's DHCP server.

that a route needs to be

address of the 'real' rtr.

Huh? Perhaps it would be helpful if you would describe this mythical real router of yours. From your muddled description, my guess is that it has 3 ports. One for the WAN going to the modem. Two other going to two separate subnets. Unless I'm reading this wrong, the Linksys just magically became the "real" router in your last statement.

for entering static routes,

for port mapping in the ISP

Static routes are where you want to route an entire subnet *THROUGH* a single IP address, usually over the internet. Something like a branch office. That will only work if the branch office has yet another router.

Right. I should have ignored it. Too late.

internet connection with a

having all my LAN traffic up in

Old)Cleawire proprietary

different subnet.)

Huh 2.0? *ALL* wireless is Layer 2 (MAC layer) bridging. However, this isn't really a wireless question so you have some room to screw things up.

You can split the network using two different class C networks, but methinks that's too much work. It's easier with a subnet and this is a job for routing. Split the subnet in half with two /25 networks. Alias your default gateway (IP address of the "real" router) to two different IP addresses, one each inside each subnet. Setup netmask and routing so that each subnet doesn't see the other. You might be able to avoid the aliasing trick if your PC's support a default gateway that's not inside their netmask.

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

I'm sure you know what I mean by 'real' rtr. Ala...Cisco, Cabletron, etc...

I guess I didn't explain it well....

There is a network @ work. It connects to a cable ISP using the (unamed) consumer grade Linksys cable/DSL rtr. I had (probably mistakenly) used the phrase ISP rtr meaning the rtr that connects to the internet. The inside of that rtr is 192.168.1.0/24...the office LAN. The outside is the internet, the WAN side.

Now, hang a Cisco 1750 (or like) on the 192.168.1.0/24 network, and give the Cisco's other NIC a

192.168.2.0/24 address. Add PC's on the Cisco's 192.168.2.0/24 NIC all addressed for 192.168.2.0/24.

Internet access is from a .2.1 PC --> (.2.222) Cisco rtr (.1.222) --> (.1.1) Linksys (global) ---> Internet

Come on Jeff.....maybe ALL consumer grade 802.x wireless is L2, but not ALL wireless, and certainly ALL wireless isn't 802.x. The equipment I have is L3 based, *proprietary*, and designed for cell site use with up to 24 sectors and is GPS synchronized as well. Yes, synchronized, and completely legal, by way of how the gear is FCC licensed.

And, the entire reason I did this setup was for testing a 900Mhz ISM L2 IP bridge that was being clobbered by the 'other' network traffic, because, well, it was L2 and not L3. I needed isolation.

(The L2 vs L3 discussion was a couple of months ago if you recall.)

A subnet's a subnet's, whether is a /24 or /25, and still requires some type of routing. I've never seen a piece of IP equipment that allowed me to set a default gateway that was not within it's subnet.

Of course. However, I'm rather partial to specifics, such as maker, model number, options, firmware version, etc. This is not a theoretical or general question, so there is no benefit in leaving out the specifics. The litany is always the same:

1. What are you trying to accomplish?
2. What do you have to work with? You kinda messed up on both.

I can assure you that you're guess is correct.

consumer grade Linksys

rtr that connects to the

outside is the internet, the WAN

So far so good. Basically, you don't have access to the WAN side of the unspecified Linksys router. I'll assume it's IP address is

192.168.1.1.

Cisco's other NIC a

No problem. That's called "double NAT". It works but has problems with some protocols that need port forwarding from the internet through both routers. For example, if you wanted to use some remote control software to your desktop, you would need to port forward in BOTH routers.

Linksys (global) ---> Internet

Got it. However, electrons and internet access flows from left to right. Internet should be on the left and your desktop on the right.

wireless, and certainly

designed for cell site

and completely legal,

Well, ok. I should have been more specific. Change that to: *ALL* IP based 802.11 wireless is Layer 2 (MAC layer) bridging.

bridge that was being

I needed isolation.

Good plan. There's no reason I can see that double NAT shouldn't work for your testing. Wireless ISP's (WISP) do it all the time. They deliver non-routeable IP's to their customers, who have NAT routers at home for their various machines. As long as you don't have to do port forwarding games, it works.

I've been trying to forget that one.

I thought you were trying to split the IP block between two isolated LAN's. I guess not. Just ignore my suggestions.

within it's subnet.

Windoze 2000, XP, and possibly Vista allow for default gateways that are outside the netmask. 95/98/ME do not. My DD-WRT v24 SP1 router will not allow it on the WAN interface. (I just tried it). I'm not sure about other routers. However, it's easy enough to assign multiple IP's, one for each subnet, to the LAN IP address, and not worry about it.

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

And that is a good assumption.

You were with me up to this point.

It's NOT double NAT.....and that was my reason for posting the info. There was no NAT at the Cisco rtr, only the actual IP routing functions.

An internet bound packet from the .2.0 subnet is sent to the default g/w, the Cisco rtr. The Cisco rtr then sends that packet to its default G/W, .1.1, the consumer grade Linksys rtr that DOES provide NAT for the network.

At the Linksys rtr, that IS the internet connection, the packet is STILL addressed as being from the .2.0 network, then NAT'd and sent to wherever on the internet.

This is where the static route comes in. The Linksys rtr needs to know how to get back to the .2.0 subnet, so a static route is set in the Linksys rtr having the Cisco as the g/w for .2.0.

As for incoming connections. A port only needs to be mapped at the Linksys internet router. For instance, a web server on port 80, needs to be forwarded to 192.168.2.100. And that's it, since it's got a static route back to .2.0. There's nothing to do in the Cisco rtr.

So, in conclusion, the Linksys BEFSR41 wired-only rtr properly NAT's 'off-subnet' traffic.

Then say so. When you generalized with translating 192.168.1.0/24 to

192.168.2.0/24, I assumed you intended to use NAT. However, we're now talking Cisco-speak, so that's really PAT (port address translation). NAT (network address translation) is a 1:1 IP to IP translation. So, you assign a block of IP's on the outside (WAN) port of the Cisco router, which maps to a corresponding list of IP's on the inside (LAN) port. No need for port forwarding with that arrangement.

I think this covers Cisco style 1:1 NAT:

Agreed. The outside port of the Cisco may have a block of IP addresses, but all of them have a default gateway pointing to the Linksys LAN side IP address.

Agreed. That's the way the Linksys works.

No it does not. The default gateway of any device plopped onto the LAN side of the Linksys router has a default route set to the LAN side IP address of the Linksys.

Meanwhile, the outside (WAN) port of the Cisco router has a block of IP addresses available but all of them have a default route pointing to the Linksys LAN side IP address. Actually, that's not quite correct. There is a block of IP's, but only one default route for the Cisco which points to the Linksys IP (192.168.1.1).

Yep, with 1:1 NAT, that's the way it works.

Sure, with the help of an additional router.

Incidentally, make sure that the block of ouside (WAN) side IP's on the Cisco do not land inside the DHCP assigned area on the Linksys.

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

I did in the OP.

What does not ?

In the Linksys rtr (effectively, if it had a cmd prompt).....

route add 192.168.2.0 mask 255.255.255.0 192.168.1.222

This is absolutely needed in the Linsys so packets will get back to the .2.0 subnet.

The Cisco has no blocks of IP addresses. All it has it 2 eth interfaces...one on each subnet.

Well there would be no other way to get a routed packet from a different subnet onto the Linksys LAN otherwise.

Uh.......am I confused...or you ?

As I said in the OP...."The 'real' rtr is is configured to a bare minimum, only the IP info of each interface set and G/W & DNS are pointing to the ISP rtr, 192.168.1.1."

I don't know where you are getting 'blocks of IP address' from . The Cisco rtr was:

1. Turned on to it's default unconfigured state.
2. Had ether1 set to: 192.168.1.222/24 g/w:192.168.1.1
3. DNS was set to 192.168.1.1 (and to forward DNS requests)
4. Then ether2 set to 192.168.2.222/24
5. Save changes.

The Linksys rtr then had a static route added:

192.168.2.0/24 g/w'd to 192.168.2.222

And that's it. No DCHP. Just plain routing, no additional addressing of any kind, or additional configuration.

Now, any device plugged into the 192.168.2.0 side of the Cisco needs obviously an IP in the .2.0/24 range, and DNS & G/W set to 192.168.2.222 (the Cisco rtr), and that's it.

And I was shocked when the Linksys NAT'd this properly.

When I read your first post in this thread the other day, I silently nodded to myself and said of course that will work, why wouldn't it, it's fairly straightforward. As I understand it, you have a LAN that is separated from the WAN by a Linksys NAT router, and you have a second network hanging off your LAN, separated from your LAN by a Cisco-like router (no NAT). That second network needs to traverse your LAN to get out to the Internet, and the Linksys needs a static route to know how to forward packets back to the second network rather than spitting them back out to its default gateway, which would be in the wrong direction out on the WAN. All in all, simple and straightforward, I was thinking. Assuming I have it right, of course.

And then Jeff started asking questions and talking about double NAT, Cisco PAT/NATP, mapping sets of IP's to other sets of IP's and so on, and I started to get all confused.

I still think what you're doing is fairly simple and straightforward, despite the twists and turns the discussion has taken.

Char Jackson wrote in news: snipped-for-privacy@4ax.com:

192.168.2.222

Well at least someone understood. Although I probably could have explained a bit better. Diagram's and graphcs go a long way in describing technical stuff like this, but this is a non-binary group. Even trying to put together a crude diagram using text is a futile effort now-a-days with newsreaders using variable width fonts.

(OT- ASCII Art anyone ?

, or this is neat , you can u/l an image and get an ASCII Art representation of it back.)

But I digress.....the reason I wasn't sure it would work was because the Linksys is just a standard commodity home cable/DSL router and the ultimate source/destination is a subnet that is not connected to the Linksys directly.

I don't think my home D-Link rtr will do this, as there is no entry for static routes in the setup pages, only for port forwarding. The D-Link DI-604 may not do it either. I was using one of those as a switch only to connect devices to the inside-the-inside LAN, and that didn't have static route entry either.(I subsequently removed the 604 and in it's place am now using a chessy 10mbps hub device there.....I need to sniff packets to devices on the extra LAN, and a switch just won't get that job done.)